4
CASC: 4/23/2014 University Information Technology Services As HPC shops, our heritage has been to serve physical scientists and engineers - the “usual suspects”. Regulatory compliance is a concept foreign to these users. While we’ve addressed security, compliance still remains an unexplored frontier, not only for HPC, but for Central IT in general. A Changing Landscape

5
CASC: 4/23/2014 University Information Technology Services Clinical research computing, traditionally confined to Med School cyberinfrastructures, increasingly requires HPC resources.  Med School IT cannot keep pace; identifiable HIPAA data is leaking into Central IT/national HPC environments. We have to weave compliance into the HPC fabric sooner or later. The New Reality

6
CASC: 4/23/2014 University Information Technology Services New Motivations A new HIPAA Omnibus Rule came out in 2013, with new requirements and mandates. The government will initiate random HIPAA audits in (They were triggered only in response to a breach earlier.) Penalties have been raised to millions.

7
CASC: 4/23/2014 University Information Technology Services The Corrective Action Plan (CAP) signed by Idaho State University Breaches reported by universities  But the worst is being in the newspapers!

8
CASC: 4/23/2014 University Information Technology Services HIPAA applies if even a single clinical researcher has an account on a system. The govt. says you should have known that allowing clinical researchers on a system opens the possibility of sensitive health information on the system.)  An environment with clinical researchers must be secured, independently of what a researcher may or may not do. No Plausible Deniability

9
CASC: 4/23/2014 University Information Technology Services FISMA In addition to HIPAA, we now have FISMA to deal with. It is slowly showing up in NIH grants and contracts. It is the next regulatory frontier HPC will have to deal with. Fortunately, it’s possible to tackle both HIPAA and FISMA using a single, unified approach.

10
CASC: 4/23/2014 University Information Technology Services The Scope HIPAA & FISMA require end to end security. This means starting at the customer end (where data is generated)  the network  your end  data disposal. Any and all dependencies and infrastructure pieces must also be included. We must consider the entire research workflow.

15
CASC: 4/23/2014 University Information Technology Services Addressed via the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule defines who HIPAA applies to (covered entities) and what is protected (protected health information or PHI*). The Security Rule focuses exclusively on how to protect electronic PHI (ePHI) in any form – at rest, in transit, under analysis, etc. * PHI is identifiable patient data with one or more of 18 identifiers Patient Privacy Protection

16
CASC: 4/23/2014 University Information Technology Services HIPAA Security Rule The Security Rule requires 1. administrative, 2. physical, and 3. technical safeguards to Ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained or transmitted; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; Ensure compliance by the workforce; and Provide a means for managing risk in an ongoing fashion.

18
CASC: 4/23/2014 University Information Technology Services Required & Addressable Each Security Rule safeguard is either “required” or “addressable”. Required = what it says. Addressable = should address, but ok if you describe why it is not in place or how you will otherwise address the risk. A risk assessment (RA) identifies where to concentrate effort. RA can be internal or external.

19
CASC: 4/23/2014 University Information Technology Services Breach Notification HIPAA requires that a breach of ePHI be reported ASAP: 1.To everyone whose ePHI has been compromised. 2.For a breach involving > 500 patients, to the media and the Secretary of HHS.

20
CASC: 4/23/2014 University Information Technology Services Business Associates HIPAA requires a business associate agreement (BAA) with any external entity (= business associate) that touches your ePHI. Your BAA must include a clause that the BA will protect your ePHI. So must their BAAs with their BAs. Due diligence requires ensuring that the BA can actually protect your ePHI as per HIPAA.  Purchasing & HIPAA Compliance Office partnerships

23
CASC: 4/23/2014 University Information Technology Services Employees, healthcare providers, trainees & volunteers at the medical school and affiliated healthcare sites or programs. Employees who work with university health plans. Employees who provide financial, legal, business, administrative, or IT support to the above. Who does HIPAA Cover at a University?

24
CASC: 4/23/2014 University Information Technology Services Just Good Security? Q: So, the HIPAA Security Rule means we just need to provide good IT security for systems? A: NO. The Security Rule is about assessing & managing risk, and security is only PART of that process. HIPAA requires administrative controls, training, governance, policies, formal review, etc.

27
CASC: 4/23/2014 University Information Technology Services HIPAA Security Rule Myths Myth #1 – Security rule compliance is a boolean. Truth: There is no threshold where you suddenly become compliant. Myth #2 – You can be certified HIPAA compliant. Truth: No company or federal agency is authorized to certify you as being HIPAA “compliant”. (The only way to know for sure is to survive a HIPAA audit, highly undesirable.) So you align with the HIPAA rules as best as you can and “self assert” compliance.

28
CASC: 4/23/2014 University Information Technology Services HIPAA Security Rule Myths Myth #3 – Once compliant, you stay compliant. Truth: No. Compliance is an ongoing process; once started, it never stops. Myth #4 – You must use external third party for risk/security assessment. Truth: No. You can do it internally, so long as you follow accepted practices and document it all.

30
CASC: 4/23/2014 University Information Technology Services FISMA Federal Information Security Management Act of Requires government agencies to secure their system as per NIST guidelines. Subcontractors of the agencies (=you) must also comply. Contracts are now seeing FISMA language. You are likely to be involved.

31
CASC: 4/23/2014 University Information Technology Services The FISMA Process Grants Administrators/Business Development - Identify and notify the Office of Research Administration (ORA) if there are FISMA terms in the contract - Make sure the budget includes FISMA costs - Identify and document key IT security personnel - Make sure all documents that are referenced are included PI/Study Team - Clearly describe the scope of work - Identify all potential subcontractors and their scope of work PI/Study Team and IT Support - Clearly describe data flows - In detail, describe all systems used to support the contract

33
CASC: 4/23/2014 University Information Technology Services Authority to Operate The information security plan is submitted to the agency. An ATO letter is issued by the government agency to the business owner (and some authoritative information security unit like the ISO) authorizing operations of the system. If remediation is not too serious, the agency will issue an Interim Authority To Operate (IATO). The IATO will have a defined end date. Therefore, the problems must be fixed by a certain date.

34
CASC: 4/23/2014 University Information Technology Services Plan of Action & Milestones The POA&M describes remediation steps. Even if a contractor receives an ATO, there still may be items for which the agency requires remediation. These weaknesses may not be significant enough to withhold an IATO/ATO, but they still must be corrected. Someone at your institution (the ISO?) must track these items and ensure that they are completed.

36
CASC: 4/23/2014 University Information Technology Services Research Computing at IU Indiana University has a large central IT organization called the University Information Technology Services (UITS). We provide advanced cyberinfrastructure - supercomputing, massive data storage, visualization, etc., as well as basic services. Before 2000, IU research cyberinfrastructure was used mostly by the usual suspects.

37
CASC: 4/23/2014 University Information Technology Services HIPAA History In 2000, a grant from the Lilly Endowment required our cyberinfrastructure to support biomedical researchers at the IU School of Medicine. We stored non-ePHI for IUSM for some years. A decision was finally made to align our entire research cyberinfrastructure with HIPAA. Accomplished in 2009 after a year of effort.

38
CASC: 4/23/2014 University Information Technology Services IU’s Approach A protected, walled garden will give you bullet-proof security. This may work from low to moderate scales. A separate walled garden HPC environment just for HIPAA is infeasible/impractical. HIPAA does not require bullet-proof security. At IU, we decided to focus on risk, not bullet-proofing.

40
CASC: 4/23/2014 University Information Technology Services ① Assign Ownership Dedicated resources commensurate with the scale. At IU, we spent around 1.5 FTE-year for the initial effort and 1.0 FTE on an ongoing basis. Assigned someone to lead the project. Empowered the leader.

42
CASC: 4/23/2014 University Information Technology Services ③ Document Everything Spent a lot of time on developing a documentation strategy/format. Documented all current policies and procedures, physical, administrative, and technical controls. Consulted with line managers & key staff. Instituted a secure document management system (DMS).

43
CASC: 4/23/2014 University Information Technology Services ④ Hire External Consultant Asked IU Compliance folks for references. Got referred to a consultant from DC, who also serves on national HIPAA committees, etc. Consultant was given information about the organization, documentation, etc. Consultant visited IU a couple times to do in-person interviews.

46
CASC: 4/23/2014 University Information Technology Services ⑥ Assess Risk Everything we had went into the risk assessment exercise. Submitted updated documentation and other information as requested to the external consultant. On-site interviews followed. Received a risk assessment report. Report identified risks and scored them.

47
CASC: 4/23/2014 University Information Technology Services Follow Standards We were measured against the NIST security standard since it is often used for complying with HIPAA. This was fortuitous later for our FISMA work. It put an “official seal” & added rigor to the process. We also reviewed other NIST guidelines and standards such as ISO 27001, etc. and IT best practices.

50
CASC: 4/23/2014 University Information Technology Services ⑧ Get Official Blessing & Advertize Submitted everything to the oversight committee. Received an official letter of approval from Compliance in January Advertized internally and targeted only IUSM researchers to avoid unnecessary attention.

52
CASC: 4/23/2014 University Information Technology Services Do I too need to do ALL THIS? No. HIPAA does not prescribe how you manage risk, just that you do. You can customize according to your environment, budget, and risk level. Chances are you already meet a bulk of HIPAA Security Rule requirements. You need to document your practices in the format HIPAA requires.

55
CASC: 4/23/2014 University Information Technology Services Lessons Learned At IU, HIPAA compliance has made a huge impact. Starting from zero in 2009, we now have: 1.Number of biomedical user accounts3,000 2.Volume of biomedical data stored~1PB 3. Use of computing cycles1 MSUs 4. Number of databases> New services for biomedical users>10 6. Number of NIH grants that fund FTEs5 7. Number of FTEs funded by these grants~ 10

56
CASC: 4/23/2014 University Information Technology Services Benefits The IU Compliance office trusts us and sends customers our way. (We have made their job easier by lowering institutional risk.) The School of Med researchers are flocking to us to meet their research computing needs. We have standardized on regulatory compliance, saving effort and $ going forward. We can defend ourselves if audited.

57
CASC: 4/23/2014 University Information Technology Services Current Status We are establishing institutional processes. HIPAA is mostly in place for HPC/Central IT. FISMA is in process. A new IT policy addresses risk institutionally. As for many others, IU’s GRC (Governance, Risk, Compliance) framework is evolving rapidly. We have learned a lot in the past half decade.

60
CASC: 4/23/2014 University Information Technology Services Conclusions There will be more ePHI in more places on HPC and Central IT systems. There will be more regulations ending with an “A”! Not paying attention will impact institutional liability and reputation. An institutional RMF is essential/feasible. It will give you resources to align with any current/future regulation/requirement.

61
CASC: 4/23/2014 University Information Technology Services WE ARE MORE THAN HAPPY TO HELP